SSH Key Management
Public key authentication is more secure than passwords.
Key Types Comparison
| Type | Key Size | Security | Performance |
|---|---|---|---|
| ED25519 | 256-bit | Excellent | Fast |
| RSA | 4096-bit | Good | Slower |
| ECDSA | 256/384/521-bit | Good | Fast |
Recommendation: Use ED25519 for all new keys.
Generate Keys
ED25519 (Recommended)
# Generate ED25519 key
ssh-keygen -t ed25519 -a 100 -C "user@hostname"
# Options:
# -a 100 = 100 KDF rounds (more secure)
# -C = Comment to identify the keyRSA (Legacy Compatibility)
# Generate RSA 4096-bit key
ssh-keygen -t rsa -b 4096 -o -a 100 -C "user@hostname"
# -b 4096 = 4096-bit key
# -o = New OpenSSH formatDeploy Keys
ssh-copy-id
# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# Verify connection
ssh user@serverManual Deployment
# On the server
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "your-public-key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysKey Security
Permissions
# Private key - owner read only
chmod 600 ~/.ssh/id_ed25519
# Public key - readable
chmod 644 ~/.ssh/id_ed25519.pub
# SSH directory
chmod 700 ~/.ssh
# authorized_keys
chmod 600 ~/.ssh/authorized_keysPassphrase Protection
# Add passphrase to existing key
ssh-keygen -p -f ~/.ssh/id_ed25519
# Use ssh-agent to cache passphrase
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519SSH Config
# ~/.ssh/config
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_ed25519_prod
IdentitiesOnly yes
Host staging
HostName staging.example.com
User deploy
IdentityFile ~/.ssh/id_ed25519_staging
IdentitiesOnly yes
# Global defaults
Host *
AddKeysToAgent yes
IdentitiesOnly yes
HashKnownHosts yes
ServerAliveInterval 60Key Rotation
# Generate new key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -C "user@hostname-$(date +%Y%m)"
# Add new key to servers while old key still works
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub user@server
# Test new key
ssh -i ~/.ssh/id_ed25519_new user@server
# Remove old key from server's authorized_keys
# Then retire old local keyCertificate-Based SSH
# Create CA key (keep this VERY secure)
ssh-keygen -t ed25519 -f ca_key -C "SSH Certificate Authority"
# Sign user key
ssh-keygen -s ca_key -I user@hostname -n user -V +52w id_ed25519.pub
# On servers, add to sshd_config:
# TrustedUserCAKeys /etc/ssh/ca_key.pub - ssh keys
- ed25519
- rsa
- public key
- authentication